Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."

What's the story here? He blabbed on a security issue without approval...

The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions?

Do you want this happening while there is apparently an on going investigation? There are reasons why there are approval rules and they aren't about old bureaucracy and control freaks

If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.

Except this is an ongoing police investigation. There is a difference. And a panel discussion isn't necessarily the best way to network with peers on issues like this. He made a mistake and paid for it. It was a bit harsh, but not totally out of line.

However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

Don't you hate it when people imply that their system was not "hacked" simply because they didn't provide the proper precautions to stop the leaking of internal data or changing database information in a way it was not intended?

According to our current definitions... IT WAS A HACK. Whether something is a hack is not determined by the ease in which they are preformed or the impact size of the damage no matter how minimal.

She is describing "hack" in terms of ramifications.

This is concept is almost as silly as attempting to make breaking DRM code illegal without considering the quality of code or logic/math behind it. For example, I could take code an increment each character. ie: a => b, b => c,... z => a. and then call this "DRM". Now if any pre-teen tries to run this through their decoder ring to "break it"... they get a free pass to jail.

Every time the media has reported on something I knew about personally, I was always shocked at the number and magnitude of factual errors they made, the twisting of focus away from the main issue.

I agree 110%. The stories I've seen broadcast about events I had personal knowledge of made it so I trust the media story about as much as I'd trust a junkie with the safekeeping of a kilo of heroin.

I was mostly responding to the theory that if someone screws up once in a (seemingly) minor way they are untrustworthy to do anything ever again. Hell, even if they screw up in a major way (assuming something short of gross negligence). If that was the case, there would be almost nobody employed anywhere. The story was taken at face value simply for the sake of argument. It's unlikely that a single person here actually knows the real story to any major degree, so discussion is pretty meaningless without taking it at face value. It all ends up being theory and conjecture anyway.

I work for a state agency in IT. Not a bench tech but up the chain a bit. We have all signed forms saying that we will not divulge anything about our environment - what we run, any breaches, etc. Talking to the media is out of the question. Talking to a group is allowed IF the content is very general. One of our guys talked to the media once (and slammed the state in the process) and got slapped so hard he ended up leaving.

I have to wonder if the person who fired him was a real IT person who would learn from him sharing his story or someone who was appointed after years of doing something else and thought that his talk revealed a hack. I used to work for an IT person who was a social worker and climbed the ranks.